From a73d9e42984f8f582a2de640e34d7137696aa5eb Mon Sep 17 00:00:00 2001 From: Karol Szwaj Date: Wed, 14 May 2025 11:14:25 +0200 Subject: [PATCH] fix: custom controller namespace refs in gateway namespace mode Signed-off-by: Karol Szwaj --- internal/infrastructure/kubernetes/infra_resource.go | 5 +++-- internal/infrastructure/kubernetes/proxy/resource.go | 4 ++-- .../infrastructure/kubernetes/proxy/resource_provider.go | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/internal/infrastructure/kubernetes/infra_resource.go b/internal/infrastructure/kubernetes/infra_resource.go index 018e5e00fa..b6fc188c46 100644 --- a/internal/infrastructure/kubernetes/infra_resource.go +++ b/internal/infrastructure/kubernetes/infra_resource.go @@ -21,6 +21,7 @@ import ( "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" + "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy" "github.com/envoyproxy/gateway/internal/metrics" ) @@ -636,10 +637,10 @@ func (i *Infra) getEnvoyGatewayCA(ctx context.Context) string { secret := &corev1.Secret{} err := i.Client.Get(ctx, types.NamespacedName{ Name: "envoy", - Namespace: "envoy-gateway-system", + Namespace: i.ControllerNamespace, }, secret) if err != nil { return "" } - return string(secret.Data["ca.crt"]) + return string(secret.Data[proxy.XdsTLSCaFileName]) } diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index fcce7c0e43..481427ec00 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -308,7 +308,7 @@ func expectedContainerVolumeMounts(containerSpec *egv1a1.KubernetesContainerSpec } // expectedVolumes returns expected proxy deployment volumes. -func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.KubernetesPodSpec, dnsDomain string) []corev1.Volume { +func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.KubernetesPodSpec, dnsDomain, controllerNamespace string) []corev1.Volume { var volumes []corev1.Volume certsVolume := corev1.Volume{ Name: "certs", @@ -339,7 +339,7 @@ func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.Kubern }, }, } - saAudience := fmt.Sprintf("%s.%s.svc.%s", config.EnvoyGatewayServiceName, config.DefaultNamespace, dnsDomain) + saAudience := fmt.Sprintf("%s.%s.svc.%s", config.EnvoyGatewayServiceName, controllerNamespace, dnsDomain) saTokenProjectedVolume := corev1.Volume{ Name: "sa-token", VolumeSource: corev1.VolumeSource{ diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 75d6397223..17c2ee647f 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -337,7 +337,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { SecurityContext: deploymentConfig.Pod.SecurityContext, Affinity: deploymentConfig.Pod.Affinity, Tolerations: deploymentConfig.Pod.Tolerations, - Volumes: expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, deploymentConfig.Pod, r.DNSDomain), + Volumes: expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, deploymentConfig.Pod, r.DNSDomain, r.controllerNamespace), ImagePullSecrets: deploymentConfig.Pod.ImagePullSecrets, NodeSelector: deploymentConfig.Pod.NodeSelector, TopologySpreadConstraints: deploymentConfig.Pod.TopologySpreadConstraints, @@ -560,7 +560,7 @@ func (r *ResourceRender) getPodSpec( SecurityContext: pod.SecurityContext, Affinity: pod.Affinity, Tolerations: pod.Tolerations, - Volumes: expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, pod, r.DNSDomain), + Volumes: expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, pod, r.DNSDomain, r.controllerNamespace), ImagePullSecrets: pod.ImagePullSecrets, NodeSelector: pod.NodeSelector, TopologySpreadConstraints: pod.TopologySpreadConstraints,